Hi Baptiste, As always thank you for your responses.. Yes it did occur to me that i can setup fail2ban directly on the load balancer, but i was trying to go a step further and see if there were in IP specific attacks on the indiviual app server and if so i will see them in the apache/access.log and i can then use the regular expression to stop them, so i tried that and here are my findings
so my configuration is stunnel (stunnel 4.35 on x86_64) --> haproxy 1.4.24 --> apache/2.2.22 haproxy and stunnel are on the same server so when i access my website i see the client public ip i stunnel 2013.09.26 10:15:28 LOG5[4280:140577939285760]: Service https-lb1 accepted connection from <Client_public_ip>:50902 2013.09.26 10:15:28 LOG5[4280:140577939285760]: connect_blocking: connected 10.0.0.1:8000 2013.09.26 10:15:28 LOG5[4280:140577939285760]: Service https-lb1 connected remote server from 10.0.0.1:35350 2013.09.26 10:15:28 LOG3[4280:140577939285760]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing 2013.09.26 10:15:28 LOG5[4280:140577939285760]: Connection closed: 9895 bytes sent to SSL, 791 bytes sent to socket 2013.09.26 10:15:29 LOG5[4280:140577939285760]: Service https-lb1 accepted connection from <Client_public_ip>:50903 2013.09.26 10:15:29 LOG5[4280:140577939355392]: Service https-lb1 accepted connection from <Client_public_ip>:50904 2013.09.26 10:15:29 LOG5[4280:140577939076864]: Service https-lb1 accepted connection from <Client_public_ip>:50905 2013.09.26 10:15:29 LOG5[4280:140577939146496]: Service https-lb1 accepted connection from <Client_public_ip>:50906 2013.09.26 10:15:29 LOG5[4280:140577939633920]: Service https-lb1 accepted connection from <Client_public_ip>:50907 2013.09.26 10:15:29 LOG5[4280:140577940121344]: Service https-lb1 accepted connection from <Client_public_ip>:50908 2013.09.26 10:15:29 LOG5[4280:140577939285760]: connect_blocking: connected 10.0.0.1:8000 but when the request comes to haproxy logs i.e /var/log/haproxy_0.log i don't see the client public ip i just see the internal ip of the haproxy server localhost haproxy[27745]: 10.0.0.1:45260 [26/Sep/2013:10:19:59.110] http-in load/l2-app 0/0/1/529/530 404 9560 - - --VN 0/0/0/0/0 0/0 "GET /product/da.ddd HTTP/1.1" so how can i show the client public IP in the haproxy log, so that i can trigger fail2ban rules for block bad requests stunnel.conf ~$ more /etc/stunnel/stunnel.conf ;setuid = nobody ;setgid = nogroup pid = /etc/stunnel/stunnel.pid debug = 5 output = /etc/stunnel/stunnel.log socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1 [https-lb] cert=/etc/stunnel/ssl/group-wildcard.pem key = /etc/stunnel/ssl/star_cert_com.key accept=<server_publicl_ip>:443 connect=10.0.0.1:8000 TIMEOUTclose=0 xforwardedfor=yes thanks once again ________________________________ From: Baptiste <[email protected]> To: Amol <[email protected]>; HAProxy <[email protected]> Sent: Thursday, September 26, 2013 1:44 AM Subject: Re: haproxy x-forward-for use during fail2ban Hi Amol. HAProxy is a reverse proxy and by default it uses a local server ip address to get connected on the backend server. This is layer 3 and 4. HAProxy uses HTTP, layer 7, to forward the client IP to the server, in a header called X-Forwarded-For. Your webserver relies on layer 7 information while fail2ban relies on layer 3 and 4. Simply move your fail2ban on haproxy servet :) Or turn haproxy in transparent proxy mode. Baptiste Le 26 sept. 2013 06:01, "Amol" <[email protected]> a écrit : i was trying to add fail2ban on my ubuntu 10.04 LTS app servers and i realized that fail2ban is blocking my load balancer IP whenever a bad request is formed, so i have some questions on my implementation of the x-forward-for > > >in my apache access log i see this entry when i try to hit an incorrect URL > > >apache/access.log >- - - [25/Sep/2013:23:47:42 -0400] "OPTIONS /product/data.php HTTP/1.1" 200 >3477 "-" "-" > > >why is it missing the public IP of the client server? > > >while if a request comes in from wordpress i see the public ip in the >access.log > > >apache/access.log > ><PUBLIC_IP> - - [25/Sep/2013:23:45:21 -0400] "GET >/wp-content/themes/test/lib/scripts/cluetip/jquery.cluetip.js?ver=3.1 >HTTP/1.1" 304 - "https://xxx/our-apps/"; "Mozilla/5.0 (Macintosh; Intel Mac OS >X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0" > > > > >in my haproxy.cfg, i do have entries relevant for x-forward for > > >defaults > log global > mode http > option httplog > option dontlognull > retries 3 > option http-server-close > option forwardfor except 10.0.0.1 # set the client's IP in >X-Forwarded-For. > option redispatch > timeout connect 5s > timeout client 180s > timeout server 180s > timeout http-request 5s # A complete request may never take that >long. > errorfile 503 /etc/haproxy/errors/503.http > > >frontend http-in > bind <public_IP>:80 name http > bind <private_IP>:8000 name https # forwared by stunnel > > > option forwardfor > acl host_d1 hdr_beg(host) -i d1.xx.com > use_backend d1 if host_demo1 > acl host_d2 hdr_beg(host) -i d2.xx.com > use_backend d2 if host_setdemo > acl host_d3 hdr_beg(host) -i d3.xx.com > use_backend d3 if host_d3 > default_backend d4 > > >backend d2 > acl secure dst_port eq 8000 > stats enable > stats auth admin:admin > stats uri /admin?stats > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close > option forwardfor except 10.0.0.1 # set the client's IP in >X-Forwarded-For. > option httpchk OPTIONS /check.php HTTP/1.1\r\nHost:\ www > server 2-app <private_IP>:80 cookie B weight 5 check inter 20000 >maxconn 30 > server 3-app <IP>:80 cookie C weight 5 check inter 20000 maxconn 30 >backup > redirect prefix d2.xx.com if !secure > > > > >does anything look be amiss in this setup? >why would i get public ip from wordpress but not from my php application? > > >Thanks in advance
